How should healthcare providers manage compliance with the My Health Records System?

By Alexandra Wedutenko, Mathew Baldwin

02 Aug 2018

Differing standards and regulatory requirements apply to health providers who access the My Health Records system, although they are not as stringent as the requirements just introduced in Europe under the General Data Protection Regulation. With the heightened public and regulatory scrutiny for health records, each healthcare provider needs to have a comprehensive data management plan, including a data breach plan.

Regardless of whether the My Health Records System remains opt-in or manages to navigate the current political attention to become an opt-out model, healthcare providers will be handling or accessing an increasing level of personal information and medical information through the system - and that means more data to protect. With the significant interest in and scrutiny from the public and regulators, the consequences of a data breach become overwhelming. How healthcare providers can protect that data, reduce the risk of a reputational and regulatory firestorm, and comply with the various regimes which apply to them, will turn on exactly what they're including in their data management plan. 

What is the My Health Records System?

The Australian Government's My Health Records system contains a summary of each patient's health information, but is not intended to be a complete record of their medical history. It allows online access by healthcare provider organisations to the information that has been uploaded to a patient's My Health Record, as well as the ability for the healthcare provider to include additional information and clinical documents (such as referral letters and prescriptions) in the patient's My Health Record, so they can be seen by other healthcare providers.

The My Health Records system has been operating since 2012 as an opt-in model, allowing patients to create a record in the My Health Records system that can then be shared with healthcare providers in accordance with the patient's chosen access controls.  Previously such records were known as the Personally Controlled Electronic Health Record or eHealth record.  The My Health Record system is now in the process of becoming an opt-out model, though public debate on this increasingly favours the opt-in model remaining and additional restrictions have already been proposed on third party data access.  Should the opt-out model proceed, unless they opt-out, all individuals with a Medicare or Veteran's Affairs card that do not already have a My Health Record will be automatically registered.

What regulation applies to use of the My Health Records System?

Privacy is regulated in Australia under a number of different Commonwealth and State and Territory laws. Private sector and Australian Government organisations, including health service providers, are required to comply with the Australian Privacy Principles under the Commonwealth Privacy Act 1988 (Cth). State and Territory Government bodies (and some private sector healthcare providers) are also subject to regulation under separate privacy laws in most States and Territories. There are additional regulatory protections that apply to the collection, use and disclosure of personal information that is health information because of its particularly sensitive nature.

In addition to these other protections that apply to personal information and health information, there is a specific regime for the My Health Records system and access to a patient's records in it. Under the My Health Records Act 2012 (Cth), the Australian Government has established this parallel regulatory system for the collection, use and disclosure of health information in each patient’s My Health Record. There are already offences and civil penalties under the My Health Records Act that apply to misuse of My Health Records in addition to the consequences under other Commonwealth and State regulations.

Healthcare provider organisations are currently subject to this additional regulation under the My Health Records Act whenever they upload, collect, use or disclose information from a patient's My Health Record. This means that a healthcare provider needs to be aware of the requirements under all of these different regulatory systems that may apply to their use of patient health information, and have an appropriate data management plan to address them.

For example:

  • when accessing records via the My Health Records system, a healthcare provider must comply both with the Commonwealth Privacy Act and also the requirements in the My Health Records Act;
  • when uploading information to the My Health Records system, a healthcare provider will need to comply with these Commonwealth requirements, and may also be subject to State Government regulation that can limit the type of health information the provider is permitted to upload to the My Health Records system, or require that the patient provide additional consents before this is done; and
  • when downloading data from the My Health Records system, the files that have been downloaded are then regulated separately from the My Health Records system by the applicable Commonwealth and State or Territory regulations that apply to personal information and medical information.

There are even differences in what a healthcare provider is permitted to do with information taken directly from the My Health Records System compared to the same information obtained from another source.  For example, only the Australian Digital Health Agency is authorised to disclose health information included in a My Health Record to law enforcement bodies, a position which the Australian Government is now proposing to restrict even further to ensure that a court order is required before such access is granted.  However, if the same information is obtained from a different source there is an ability for the healthcare provider to disclose personal information for law enforcement purposes under the Commonwealth Privacy Act.  It's not clear if the Australian Government will be making further changes to the regulatory requirements to address such inconsistency.

What should healthcare providers do avoid the reputational and regulatory firestorm of a data breach?

Although the Australian Government regulates the My Health Records system, these differing standards and regulatory requirements mean that each healthcare provider should have a comprehensive data management plan which addresses how it will ensure its operations are compliant with the applicable regulatory requirements, based on an assessment of how they apply to each aspect of its operations.

Establishing this regulatory management plan requires an initial audit of your activities, followed by a mapping exercise of the relevant Commonwealth, State and Territory requirements. The plan should cover each stage of the handling of personal information and medical information, demonstrating the process for ensuring compliance in a way that can be verified in future routine compliance audits.

A key aspect of compliance with the My Health Records Act and other applicable personal information and health information regulations is ensuring that the healthcare provider also has a data breach plan, as both the Privacy Act and the My Health Records Act have mandatory data breach reporting obligations. This can be developed as part of, and incorporated into, the data management plan. Not only will you comply with these Acts, you'll also ensures these requirements can be met (and identify who is responsible for reporting). The data breach plan also contributes to demonstrating overall compliance with requirements for data security and management of personal information and medical information, so it's an effective way of minimising both the damage to patients and to your business if there's a data breach.

Get in touch

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.